RE: Windows Honeypot Help

["David LeBlanc" <dleblanc () Exchange Microsoft com>]

-----Original Message-----
From: Ted [mailto:padmin () adelphia net] 
Sent: Monday, February 16, 2004 4:09 AM
To: honeypots () securityfocus com
Subject: Windows Honeypot Help



Hello,

  Bottom line up front, I'm looking for some kind of script/software
combination that will allow me to emulate services and log interaction
with those fake services on a Win2k honeypot. Now for some details.

  I've been wanting to create a honeypot for quite a while now in order
to do some personal research on tools and methodologies used by hackers
in the wild. Recently, I decided to go ahead and do it. In preperation,
I read Lance Spitzner's book and did some research on the net to gain
perspective on the various aspects of honeypot development and
deployment.
[snip]
-------------------------------------------------------------

When trying to monitor a Windows system, there's some things to think
about that might be helpful - every process has an associated
WindowStation. You can find these with EnumWindowStations.
WindowStations contain one or more desktops, and every thread is
associated with a desktop. If you have enough access rights, you can
open the desktops, determine what windows are running on each desktop,
and then you can monitor the messages going to these windows. It is your
best bet at monitoring something like a terminal server session, or
maybe the local console piped out through VNC or perhaps a backdoor.
Personally, I'd write a service to do this.

This approach won't be much help (I don't think) when dealing with
cmd.exe where stdio has been redirected to a socket handle, but it will
help with other situations.

Hope this helps -